Samuel is the network administrator of DataX Communications, Inc. He is trying to configure his firewall to block password brute force attempts on his network. He enables blocking the intruder’s IP address for a period of 24 hours’ time after more than three unsuccessful attempts. He is confident that this rule will secure his network from hackers on the Internet.
But he still receives hundreds of thousands brute-force attempts generated from various IP addresses around the world. After some investigation he realizes that the intruders are using a proxy somewhere else on the Internet which has been scripted to enable the random usage of various proxies on each request so as not to get caught by the firewall rule.
Later he adds another rule to his firewall and enables small sleep on the password attempt so that if the password is incorrect, it would take 45 seconds to return to the user to begin another attempt. Since an intruder may use multiple machines to brute force the password, he also throttles the number of connections that will be prepared to accept from a particular IP address.
This action will slow the intruder’s attempts.
Samuel wants to completely block hackers brute force attempts on his network.
What are the alternatives to defending against possible brute-force password attacks on his site?
A.
Enforce a password policy and use account lockouts after three wrong logon attempts even though this might lock out legit users
B.
Enable the IDS to monitor the intrusion attempts and alert you by e-mail about the IP address of the intruder so that you can block them at the
Firewall manually
C.
Enforce complex password policy on your network so that passwords are more difficult to brute force
D.
You cannot completely block the intruders attempt if they constantly switch proxies
Both C and D are correct. But why is D more correct? The question asks “What are the alternatives to defending against…”. So, one way of defending against brute force attacks is complex password policy. Like D states, you can’t completely block intruders if they constantly switch proxies, but doing nothing is not an alternative defense… so please explain… Thanks.
The logic is that Enforcing a complex password policy on your network will only make brute forcing more difficult not defend against it completely. Additionally you could make the case that enforcing a complex password policy won’t even help as it’s brute forcing anyway only enforcing long passwords is going to help.
Personally I think A is more likely to be the correct answer if you lock out user accounts after three wrong login attempts and require a call to a helpdesk for verification before unlocking an account then that stops the brute force in it’s tracks unless they authenticate in person. Then it becomes a more targeted attack and cleanly falls in the “You cannot completely block the intruders attempt” catagory
Now that I re-read the question, A, B, and C are defenses to brute-force attacks. The question asks, “what are the alternatives to defending” and the “alternative” is D.
A. opens up your systems to DOS attacks against user accounts
D. is true enough for EC-Council
D